Vsys
Interfaces and security zones can be grouped into virtual systems, and then managed independently of each other. PA-500, PA-200, and VM-series firewalls do NOT support Virtual Systems. 'VSYS LICENSE:' *Virtual System license is required to enable support for mulitple virtual systems on a PA-2000 '''and '''PA-3000 series. *You must purchase a Virtual System license if you want to increase the number of virtual systems beyond the base number provided by default on PA-4000 and''' PA-5000''' series. 'Multiple Virtual System Environment:' *Interfaces, zones, VLANs, virtual wires, and virtual routers (VR) must be assigned to a virtual system (a virtual system column is added to the respective pages). *A Virtual System drop-down list is added under the Policies and Objects tab. Before defining a policy or policy object, you must select the appropriate virtual system. *Remote logging destinations (SNMP, Syslog, and email), as well as applications, sevices, and profiles, can be shared by all virtual systems or limited to a selected virtual system. *Virtual Router(s), security zone(s), and VLAN(s) can be defined before creating the vsys or can be added i na later stage by specifying the vsys when the resource is created. Admin roles *An Admininstrator account is required that is dedicated to a Virtual System. Device -> Administrators *the default admin (admin) / superuser = may only change the Objects and Policies that are stored as part of that specific vsys. ** can define policies and add security profiles (url filtering, AV scanning, malware (IPS) scanning and spyware/adware scanning in addition to data leakage prevention (DLP) to specific Vsys. *'Virtual System Administrator' = only has view of their own policies. **Virtual System Admin does NOT have permission to make changes to device-level configurations such as interfaces, vsys, and the contents of the Device tab. Activation Device -> Setup -> Management (tab) -> General Settings *Once enabled, "Virtual systems" and "shared gateway" menu items become available in the left tree menu under the device tab. *Add the access interface/method to the new vsys. **EX: Layer 3 interface is added using a VLAN tag to classify the data. The trunk port can be shared by multiple vsys. Using a trunk port to service multiple vsys is a common technique. **Note: ingress and egress interfaces must either be part of the same virtual router, or part of two virtual routers that contain inter-VR static routes. 'Shared Gateway:' *A shared gateway lets multiple virtual systems share a single interface (typically connected to a common upstream network such as an ISP). *A shared gateway does not contain any security policies and therefore does NOT require an "external vsys" zone. *Communications originating in a vsys and exiting the firewall through a shared gateway require a policy to communications passing between two vsys. **An "external vsys" zone is used to define security rules in the vsys. 'Deployments:' *A deployment mode (virtual wire, Layer 2, and Layer 3) for a specific Virtual System can be selected independently for each virtual system. 'Virtual Wire': *traffic passing between a pair of physical interfaces is directed to a particular virtual system. 'Layer 2 and Layer 3:' *traffic may be differently associated with a virtual system based on its VLAN tag. *VLAN tags are used to classify the data. *The Trunk port can be shared by multiple vsys and is a common technique.